Forwarding stops working after SuperCharger Install


Forwarding stops working after SuperCharger Install

cminus

I had event forwarding setup and working well with custom event channels. Now, since I have installed SuperCharger, all forwarding has stopped. My current configuration through the web interface shows up. I can see all my subscriptions and my custom event logs and they all look correct. It has just stopped forwarding though. Can you offer some advice on the best way to troubleshoot this? Thank you!
bjvista

cminus - 8/2/2019
I had event forwarding setup and working well with custom event channels. Now, since I have installed SuperCharger, all forwarding has stopped. My current configuration through the web interface shows up. I can see all my subscriptions and my custom event logs and they all look correct. It has just stopped forwarding though. Can you offer some advice on the best way to troubleshoot this? Thank you!

Under logs download the trace log.  Zip/compress it and private message it to me here.  I'll take a look and it should tell us what's going on.
cminus

bjvista - 8/5/2019
cminus - 8/2/2019
I had event forwarding setup and working well with custom event channels. Now, since I have installed SuperCharger, all forwarding has stopped. My current configuration through the web interface shows up. I can see all my subscriptions and my custom event logs and they all look correct. It has just stopped forwarding though. Can you offer some advice on the best way to troubleshoot this? Thank you!

Under logs download the trace log.  Zip/compress it and private message it to me here.  I'll take a look and it should tell us what's going on.

bjvista. I sent you a private message with that trace. Just curious if you have had a chance to look at it to determine why forwarding might have stopped working after supercharger install. Thank you for any help!!!
cminus

bjvista - 8/5/2019
cminus - 8/2/2019
I had event forwarding setup and working well with custom event channels. Now, since I have installed SuperCharger, all forwarding has stopped. My current configuration through the web interface shows up. I can see all my subscriptions and my custom event logs and they all look correct. It has just stopped forwarding though. Can you offer some advice on the best way to troubleshoot this? Thank you!

Under logs download the trace log.  Zip/compress it and private message it to me here.  I'll take a look and it should tell us what's going on.

bjvista, curious if you have had a chance to look at my trace. Any guidance on how to troubleshoot this one? I see events that say "WSMan operation EventDelivery completed successfully" but I don't see them in my custom channels. thank you!
bjvista

cminus - 8/20/2019
bjvista - 8/5/2019
cminus - 8/2/2019
I had event forwarding setup and working well with custom event channels. Now, since I have installed SuperCharger, all forwarding has stopped. My current configuration through the web interface shows up. I can see all my subscriptions and my custom event logs and they all look correct. It has just stopped forwarding though. Can you offer some advice on the best way to troubleshoot this? Thank you!

Under logs download the trace log.  Zip/compress it and private message it to me here.  I'll take a look and it should tell us what's going on.

bjvista, curious if you have had a chance to look at my trace. Any guidance on how to troubleshoot this one? I see events that say "WSMan operation EventDelivery completed successfully" but I don't see them in my custom channels. thank you!

Everything in the Supercharger trace log looks normal.  If you click on one of the red subscriptions in the dashboard what is the reason for it being red?  It should say next to Status.
cminus

bjvista - 8/26/2019
cminus - 8/20/2019
bjvista - 8/5/2019
cminus - 8/2/2019
I had event forwarding setup and working well with custom event channels. Now, since I have installed SuperCharger, all forwarding has stopped. My current configuration through the web interface shows up. I can see all my subscriptions and my custom event logs and they all look correct. It has just stopped forwarding though. Can you offer some advice on the best way to troubleshoot this? Thank you!

Under logs download the trace log.  Zip/compress it and private message it to me here.  I'll take a look and it should tell us what's going on.

bjvista, curious if you have had a chance to look at my trace. Any guidance on how to troubleshoot this one? I see events that say "WSMan operation EventDelivery completed successfully" but I don't see them in my custom channels. thank you!

Everything in the Supercharger trace log looks normal.  If you click on one of the red subscriptions in the dashboard what is the reason for it being red?  It should say next to Status.

So, my subscriptions are green and my clients seem to be subscribed. I am wondering if the issue is with the event channels? I see a bunch of these messages for all my channels. I had these channels in place prior to installing supercharger and they had been working properly. Any ideas? Thank you!!!


bjvista

cminus - 8/27/2019
bjvista - 8/26/2019
cminus - 8/20/2019
bjvista - 8/5/2019
cminus - 8/2/2019
I had event forwarding setup and working well with custom event channels. Now, since I have installed SuperCharger, all forwarding has stopped. My current configuration through the web interface shows up. I can see all my subscriptions and my custom event logs and they all look correct. It has just stopped forwarding though. Can you offer some advice on the best way to troubleshoot this? Thank you!

Under logs download the trace log.  Zip/compress it and private message it to me here.  I'll take a look and it should tell us what's going on.

bjvista, curious if you have had a chance to look at my trace. Any guidance on how to troubleshoot this one? I see events that say "WSMan operation EventDelivery completed successfully" but I don't see them in my custom channels. thank you!

Everything in the Supercharger trace log looks normal.  If you click on one of the red subscriptions in the dashboard what is the reason for it being red?  It should say next to Status.

So, my subscriptions are green and my clients seem to be subscribed. I am wondering if the issue is with the event channels? I see a bunch of these messages for all my channels. I had these channels in place prior to installing supercharger and they had been working properly. Any ideas? Thank you!!!


So just that we're on the same page...all you did was install Supercharger and it stopped working?  Did you create any subs with Supercharger?  I see on the dashboard you have a bunch of custom event logs.  Did you create these with Supercharger or was this all setup manually before using Supercharger.   I'm just wanting to make sure because there is nothing that should be possible that would cause a Supercharger installation to break WEC.  
cminus

bjvista - 8/27/2019
cminus - 8/27/2019
bjvista - 8/26/2019
cminus - 8/20/2019
bjvista - 8/5/2019
cminus - 8/2/2019
I had event forwarding setup and working well with custom event channels. Now, since I have installed SuperCharger, all forwarding has stopped. My current configuration through the web interface shows up. I can see all my subscriptions and my custom event logs and they all look correct. It has just stopped forwarding though. Can you offer some advice on the best way to troubleshoot this? Thank you!

Under logs download the trace log.  Zip/compress it and private message it to me here.  I'll take a look and it should tell us what's going on.

bjvista, curious if you have had a chance to look at my trace. Any guidance on how to troubleshoot this one? I see events that say "WSMan operation EventDelivery completed successfully" but I don't see them in my custom channels. thank you!

Everything in the Supercharger trace log looks normal.  If you click on one of the red subscriptions in the dashboard what is the reason for it being red?  It should say next to Status.

So, my subscriptions are green and my clients seem to be subscribed. I am wondering if the issue is with the event channels? I see a bunch of these messages for all my channels. I had these channels in place prior to installing supercharger and they had been working properly. Any ideas? Thank you!!!


So just that we're on the same page...all you did was install Supercharger and it stopped working?  Did you create any subs with Supercharger?  I see on the dashboard you have a bunch of custom event logs.  Did you create these with Supercharger or was this all setup manually before using Supercharger.   I'm just wanting to make sure because there is nothing that should be possible that would cause a Supercharger installation to break WEC.  

Correct, I had those channels setup beforehand based on the following configuration:
https://github.com/palantir/windows-event-forwarding/tree/master/windows-event-channels
This had been working fine until I installed Supercharger and then I stopped getting events into those channels. Subscriptions look good and I see where clients are forwarding events. Its just that they are not landing in the logs on the collector. Any ideas on how to troubleshoot this? Thank you.
Tamas Lengyel

cminus - 8/27/2019
bjvista - 8/27/2019
cminus - 8/27/2019
bjvista - 8/26/2019
cminus - 8/20/2019
bjvista - 8/5/2019
cminus - 8/2/2019
I had event forwarding setup and working well with custom event channels. Now, since I have installed SuperCharger, all forwarding has stopped. My current configuration through the web interface shows up. I can see all my subscriptions and my custom event logs and they all look correct. It has just stopped forwarding though. Can you offer some advice on the best way to troubleshoot this? Thank you!

Under logs download the trace log.  Zip/compress it and private message it to me here.  I'll take a look and it should tell us what's going on.

bjvista, curious if you have had a chance to look at my trace. Any guidance on how to troubleshoot this one? I see events that say "WSMan operation EventDelivery completed successfully" but I don't see them in my custom channels. thank you!

Everything in the Supercharger trace log looks normal.  If you click on one of the red subscriptions in the dashboard what is the reason for it being red?  It should say next to Status.

So, my subscriptions are green and my clients seem to be subscribed. I am wondering if the issue is with the event channels? I see a bunch of these messages for all my channels. I had these channels in place prior to installing supercharger and they had been working properly. Any ideas? Thank you!!!


So just that we're on the same page...all you did was install Supercharger and it stopped working?  Did you create any subs with Supercharger?  I see on the dashboard you have a bunch of custom event logs.  Did you create these with Supercharger or was this all setup manually before using Supercharger.   I'm just wanting to make sure because there is nothing that should be possible that would cause a Supercharger installation to break WEC.  

Correct, I had those channels setup beforehand based on the following configuration:
https://github.com/palantir/windows-event-forwarding/tree/master/windows-event-channels
This had been working fine until I installed Supercharger and then I stopped getting events into those channels. Subscriptions look good and I see where clients are forwarding events. Its just that they are not landing in the logs on the collector. Any ideas on how to troubleshoot this? Thank you.

Can you please run the following command from an Admin command prompt (replace SubName with the name of one of your problem subscriptions)
wecutil gs "SubName"

Could you post the output or send it in private message?

cminus

Tamas Lengyel - 9/16/2019
cminus - 8/27/2019
bjvista - 8/27/2019
cminus - 8/27/2019
bjvista - 8/26/2019
cminus - 8/20/2019
bjvista - 8/5/2019
cminus - 8/2/2019
I had event forwarding setup and working well with custom event channels. Now, since I have installed SuperCharger, all forwarding has stopped. My current configuration through the web interface shows up. I can see all my subscriptions and my custom event logs and they all look correct. It has just stopped forwarding though. Can you offer some advice on the best way to troubleshoot this? Thank you!

Under logs download the trace log.  Zip/compress it and private message it to me here.  I'll take a look and it should tell us what's going on.

bjvista, curious if you have had a chance to look at my trace. Any guidance on how to troubleshoot this one? I see events that say "WSMan operation EventDelivery completed successfully" but I don't see them in my custom channels. thank you!

Everything in the Supercharger trace log looks normal.  If you click on one of the red subscriptions in the dashboard what is the reason for it being red?  It should say next to Status.

So, my subscriptions are green and my clients seem to be subscribed. I am wondering if the issue is with the event channels? I see a bunch of these messages for all my channels. I had these channels in place prior to installing supercharger and they had been working properly. Any ideas? Thank you!!!


So just that we're on the same page...all you did was install Supercharger and it stopped working?  Did you create any subs with Supercharger?  I see on the dashboard you have a bunch of custom event logs.  Did you create these with Supercharger or was this all setup manually before using Supercharger.   I'm just wanting to make sure because there is nothing that should be possible that would cause a Supercharger installation to break WEC.  

Correct, I had those channels setup beforehand based on the following configuration:
https://github.com/palantir/windows-event-forwarding/tree/master/windows-event-channels
This had been working fine until I installed Supercharger and then I stopped getting events into those channels. Subscriptions look good and I see where clients are forwarding events. Its just that they are not landing in the logs on the collector. Any ideas on how to troubleshoot this? Thank you.

Can you please run the following command from an Admin command prompt (replace SubName with the name of one of your problem subscriptions)
wecutil gs "SubName"

Could you post the output or send it in private message?

Sure, here is my "Authentication" subscription. This subscription had been working fine prior to the Supercharger installation. Now I have no new events after 7/30 in my WEC1-Authentication channel. Thank you for any help.

Subscription Id: Authentication
SubscriptionType: SourceInitiated
Description: Authentication events during logon and logoff.
Enabled: true
Uri: http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
ConfigurationMode: Custom
DeliveryMode: Push
DeliveryMaxItems: 5
DeliveryMaxLatencyTime: 300000
HeartbeatInterval: 1800000
Query: <QueryList>
  <!-- Inspired by Microsoft Documentation and/or IADGOV -->
  <Query Id="0" Path="Security">
   <!-- 4624: An account was successfully logged on. -->
   <!-- 4625: An account failed to log on. -->
   <!-- 4626: User/Device claims information. -->
   <Select Path="Security">*[System[(EventID &gt;=4624 and EventID &lt;=4626)]]</Select>
   <!-- 4634: An account was successfully logged off. -->
   <!-- 4647: User initiated logoff. -->
   <!-- 4649: A replay attack was detected. -->
   <!-- 4672: Special privileges assigned to a new logon, administrative logins -sa, -ada, etc. -->
   <!-- 4675: SIDs were filtered. -->
   <Select Path="Security">*[System[(EventID=4634 or EventID=4647 or EventID=4649 or EventID=4672 or EventID=4675)]]</Select>
   <!-- 4774: An account was mapped for logon. -->
   <!-- 4775: An account could not be mapped for logon. -->
   <!-- 4776: The computer attempted to validate the credentials for an account. -->
   <!-- 4777: The domain controller failed to validate the credentials for an account. -->
   <!-- 4778: A session was reconnected to a Window Station. -->
   <!-- 4779: A session was disconnected from a Window Station. -->
   <Select Path="Security">*[System[(EventID &gt;=4774 and EventID &lt;=4779)]]</Select>
   <!-- 4800 The workstation was locked. -->
   <!-- 4801 The workstation was unlocked. -->
   <!-- 4802 The screen saver was invoked. -->
   <!-- 4803 The screen saver was dismissed. -->
   <Select Path="Security">*[System[(EventID &gt;=4800 and EventID &lt;=4803)]]</Select>
   <!-- 4964: Special groups have been assigned a new logon. -->
   <Select Path="Security">*[System[(EventID=4964)]]</Select>
   <!-- 5378 The requested credentials delegation was disallowed by policy. -->
   <Select Path="Security">*[System[(EventID=5378)]]</Select>
   <!-- Suppress SECURITY_LOCAL_SYSTEM_RID A special account used by the OS, noisy -->
   <Suppress Path="Security">*[EventData[Data[1]="S-1-5-18"]]</Suppress>
  </Query>
  </QueryList>
ReadExistingEvents: true
TransportName: http
ContentFormat: RenderedText
Locale: en-US
LogFile: WEC1-Authentication
PublisherName: Microsoft-Windows-EventCollector
AllowedIssuerCAList:
AllowedSubjectList:
DeniedSubjectList:
AllowedSourceDomainComputers: O:NSG:NSDSadA;;GA;;;DC)(A;;GA;;;NS)(A;;GA;;;DD)

EventSource[0]:
Address: DC-1.initech.local
Enabled: true
EventSource[1]:
Address: Win10-PC1.initech.local
Enabled: true
EventSource[2]:
Address: Win10-PC3.initech.local
Enabled: true
EventSource[3]:
Address: Win7-PC2.initech.local
Enabled: true
EventSource[4]:
Address: Win7-PC4.initech.local
Enabled: true


GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search